Outages are inevitable. Our focus should be on minimizing their scope, addressing underlying causes, and understanding that protecting systems is about keeping bad actors out while maintaining stability and reliability.

Source: Igor Goncharenko via Alamy Stock Photo

COMMENTARY

In an era where digital security is paramount, organizations invest heavily in cybersecurity tools to defend against cyberattacks. However, these same tools — designed to protect — can sometimes be the cause of major disruptions. From botched updates to unforeseen errors in protective software, the very systems meant to safeguard us can lead to widespread outages, with the recent cases of CrowdStrike and Verizon standing out as prime examples. 

**The Fine Line Between Protection and Disruption**

Cybersecurity solutions are essential in our interconnected world, helping businesses and governments protect sensitive data, infrastructure, and user privacy. However, when improperly handled, even the best tools can turn from protectors into sources of failure. 

Known for its strong cybersecurity offerings, CrowdStrike rolled out a threat intelligence update to its Falcon platform in July that inadvertently caused a major global outage, affecting airlines, banks, and hospitals. This incident, which resulted from a software glitch during the delivery of its "Rapid Response Content" threat signatures, left critical services temporarily offline, reminding us that even the most advanced security systems aren't infallible. 

Similarly, in September, Verizon experienced a massive network outage that left millions of customers without mobile service across the US. Although the exact cause of the outage is still under investigation, fears of a cyberattack have been discussed. However, early signs suggest that it could have stemmed from a technical issue or mismanagement during a network upgrade — further highlighting how small oversights in maintaining or updating network infrastructure can have outsized consequences. 

**The Domino Effect: More Than Just an Inconvenience**

When cybersecurity or networking systems fail, the impact often ripples far beyond the initial disruption. Take Verizon's outage as an example: Businesses dependent on the network lost critical communication channels, customer service teams were unable to assist clients, and productivity ground to a halt for countless users. These events illustrate the profound dependency modern society has on digital infrastructure, and when that infrastructure falters, so do economies, health services, and day-to-day life. 

But outages like these also create windows of opportunity for cybercriminals. When networks are down or overwhelmed, attackers may exploit system vulnerabilities or use the chaos as cover for more nefarious activities, such as distributed-denial-of-service (DDoS) attacks, ransomware deployments, or supply chain compromises. Therefore, resilience and proper update protocols are just as important as the defensive capabilities of any cybersecurity tool. 

**Lessons for the Industry**

These high-profile outages, including Verizon's and CrowdStrike's, serve as reminders that robust cybersecurity involves more than just tools — it requires continuous testing, resilience planning, and careful management of system updates. 

Key takeaways for businesses include: 

*   Test updates thoroughly: Even the best security patches can introduce new risks if not properly vetted. 
    

*   Invest in incident response: Prepare for outages or failures by developing comprehensive response plans that prioritize minimizing downtime and ensuring customer communication. 
    

*   Stay vigilant: Disruptions provide opportunities for attackers. Ensure that security monitoring continues even during outages. 
    

**Looking Forward**

As technology evolves, so must our approach to cybersecurity. While outages are inevitable, the focus should be on minimizing their scope, addressing underlying causes, and understanding that protecting systems is not just about keeping bad actors out — it's also about maintaining stability and reliability within the infrastructure itself. 

Cybersecurity tools must balance protection with resilience, ensuring that the systems designed to defend us don't inadvertently cause more harm. 

**About the Author**

Director of Security, Owlet Baby Care

Yvonne Dickinson is currently the Director of Security for a global and publicly traded company. Her depth of expertise resides within application and cloud security, although she is a generalist across the other security domains. Yvonne is extremely passionate about advocating for women in STEM fields and strives to make an impact where she can. Although her official title is Security Director, that job is secondary to her primary role as CMO — Chief Mom Officer — to her family. As a technical leader, she strives to find balance in her work and her home so she can succeed at both her jobs, and she empowers her team to do the same.

When Cybersecurity Tools Backfire

Using a malicious Chrome extension, researchers showed how an attacker could use a now-fixed bug to inject custom code into a victim's Opera browser to exploit special and powerful APIs, used by developers and typically saved for only the most trusted sites.

Source: Tierfotoagentur via Alamy Stock Photo

Researchers have uncovered a fresh browser attack that compromises "private" application programming interfaces (APIs) in Opera to allow carte blanche over victims' browsers.

Browser APIs provide a bridge between Web applications and browser functionalities — including those related to security, storage, performance optimization, geolocation, and more — enabling the websites you visit to provide better, more robust features and experiences. Most browser APIs are publicly known, available to all, and rigorously reviewed.

Companies, however, have a habit of giving special permissions to their own preferred apps and sites. The Opera browser, for example, saves "private" APIs for several preferred third-party domains — such as Instagram, Atlassian, and Russia's Yandex and VK — as well as its own internal development domains, and those that are publicly reachable in the production version of the browser.

These private APIs may be useful for developers, but researchers from Guardio demonstrated how they could be accessed by hackers, too, allowing cyberattackers an array of powers imaginable from a browser: changing settings, hijacking accounts, disabling security extensions, adding further malicious extensions, and more. They did so with a canine-themed proof-of-concept attack they called "CrossBarking."

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

**CrossBarking Opera Browser Attack**

The goal of CrossBarking is to run malicious code in the context of sites with access to those powerful, private APIs. To do that, one could make use of, for example, a cross-site scripting (XSS) vulnerability. Or, even easier, a malicious browser extension.

Getting a malicious extension onto Opera is no small feat. Many a developer has complained about just how drawn out its manual review process can be — taking months or even years in some cases. The upside is the comfort that Opera's 350 million active users enjoy: that the extensions they add to their browsers have been well and thoroughly vetted.

That isn't as much the case, however, for Chrome extensions, which Opera allows its users to download. Chrome add-ons undergo a largely automated review process, and might go live within just hours or days of being submitted for approval.

So, to leverage privileged Opera sites, Guardio researchers developed a Chrome extension, not an Opera one. They designed it to add pictures of puppies to webpages — a guise for running scripts on any given site — and covered its maliciousness enough to get approved on the Chrome store. If a puppy-loving Opera user adopted the extension and visited a site with private API access, it would perform a direct script injection attack to run malicious code and gain access to any powers afforded by those private APIs.

Related:When Cybersecurity Tools Backfire

To demonstrate the full breadth of power afforded by CrossBarking, Guardio researchers targeted the settingsPrivate API, which allows for reading and editing any available browser settings. They used settingsPrivate to change a hypothetical victim's Domain Name System (DNS) settings, funneling all of their browser activity through a malicious DNS server. From there, the researchers had full view into the victim's browsing activity, plus the ability to manipulate the content of webpages or redirect the victim to malicious pages.

"You could almost take control over the entire browser, and the computer hosting it," explains Nati Tal, head of Guardio Labs. Though his PoC focused on changing a specific browser setting, "in the same way, you can change any other setting. There are many more APIs to hack — \[we didn't\] have enough time to check all of the possibilities."

**Security vs. Functionality in Browser APIs**

In the eternal struggle between functionality and security, browser developers will not easily part with the special APIs that allow them powers beyond those afforded to the hoi polloi. That applies to Opera, and other browsers as well. In May, Guardio discovered a not-dissimilar issue with a private API used for marketing in another Chromium browser, Microsoft Edge.

Related:Recurring Windows Flaw Could Expose User Credentials

To fix the CrossBarking issue, Opera did not do away with its private APIs or its Chrome extension cross-compatibility. On Sept. 24, though, it did adopt a sort of quick-fix solution already implemented in Chrome: blocking the ability of any extension to run scripts on domains with private API access.

"The infrastructure of Chromium is \[such that\] vendors need to take control of their security, and think about all the possible attack vectors there are. There are so many possible vectors," Tal concludes.

He adds: "In this case, again, it wasn't even in their \[app store\]. Opera is not responsible for Chrome Store, but they do allow extensions from there, so they need to think about it as well. \[They have to see\] the entire ecosystem, not only this vulnerability, to keep up with the threat."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'CrossBarking' Attack Targets Secret APIs, Exposes Opera Browser Users

Now a zero-day, the vulnerability enables NTLM hash theft, an issue that Microsoft has already fixed twice before.

Source: tdhster via Shutterstock

All versions of Windows clients, from Windows 7 through current Windows 11 versions, contain a 0-day vulnerability that could allow attackers to capture NTLM authentication hashes from users of affected systems.

Researchers at ACROS Security reported the flaw to Microsoft this week. They discovered the issue while writing a patch for older Windows systems for CVE-2024-38030, a medium-severity Windows Themes spoofing vulnerability that Microsoft mitigated in its July security update.

**Variant of Two Previous Vulnerabilities**

The vulnerability that ACROS discovered is very similar to CVE-2024-38030 and enables what is known as an authentication coercion attack, where a vulnerable device is essentially coerced into sending NTLM hashes — the cryptographic representation of a user's password — to an attacker's system. Akamai researcher Tomer Peled discovered CVE-2024-38030 while analyzing Microsoft's fix for CVE-2024-21320, another, earlier Windows themes spoofing vulnerability he discovered and reported to Microsoft. The flaw that ACROS uncovered is a new, separate vulnerability related to the two flaws Peled reported earlier.

Windows themes files allow users to customize the appearance of their Windows desktop interface via wallpapers, screen savers, colors, and sounds. Both the vulnerabilities that Akamai researcher Peled discovered had to do with the manner in which the themes handled file paths to a couple of image resources, specifically "BrandImage" or "Wallpaper." Peled found that because of improper validation, an attacker could manipulate the legitimate path to these resources in such a way as to get Windows to automatically send an authenticated request, along with the user's NTLM hash, to the attacker's device.

As Peled explains to Dark Reading, "The themes file format is an .ini file, with multiple 'key,value' pairs. I originally found two key,value pairs that could accept file paths," he says.

The original vulnerability (CVE-2024-21320) stemmed from the fact that the key,value pairs accepted UNC paths — a standardized format for identifying network resources like shared files and folders — for network drives, Peled notes. "This \[meant\] that a weaponized theme file, with a UNC path, could trigger an outbound connection with user authentication, without them knowing." Microsoft fixed the issue by adding a check on the file path to ensure it wasn't a UNC path. But, Peled says, the function Microsoft used for this validation allowed for some bypasses, which is what led to Peled's discovery of the second vulnerability (CVE-2024-38030).

**Microsoft Will Act 'As Needed'**

What ACROS Security reported this week is the third Windows themes spoofing vulnerability rooted in the same file path issue. "Our researchers discovered the vulnerability in early October while writing a patch for CVE-2024-38030 intended for legacy Windows systems many of our users are still using," says Mitja Kolsek, CEO of ACROS Security. "We reported this issue to Microsoft \[on\] Oct. 28, 2024, but we did not release details or a proof-of-concept, which we plan to do after Microsoft has made their own patch publicly available."

A Microsoft spokesman said via email the company is aware of the ACROS report and "will take action as needed to help keep customers protected." The company does not appear to have issued a CVE, or vulnerability identifier, for the new issue yet.

Like the two previous Windows themes spoofing vulnerabilities that Akamai discovered, the new one that ACROS found also does not require an attacker to have any special privileges. "But they have to somehow get the user to copy a theme file to some other folder on their computer, then open that folder with Windows Explorer using a view that renders icons," Kolsek says. "The file could also be automatically downloaded to their Downloads folder while visiting \[an\] attacker's website, in which case the attacker would have to wait for the user to view the Downloads folder at a later time."

Kolsek recommends that organizations disable NTLM where possible, but acknowledges that doing so could cause functional problems if any network components rely on it. "\[An\] attacker could only successfully target a computer where NTLM is enabled," he says. "Another requirement is that a request initiated by a malicious theme file would be able to reach the attacker's server on the Internet or in an adjacent network," something that firewalls should typically block, he says. As a result, it's more likely than an attacker would try to exploit the flaw in a targeted campaign more so than in a mass exploit.

Akamai's Peled says it's hard to know what ACROS's vulnerability is about without having access to the technical details. "But it might be another UNC bypass that circumvents the check, or it could be a different key,value pair that was missed in the original patching," he says. "UNC path formats are very complex and allow for weird combinations, which make detecting them very hard. This might be why it's so complex to fix."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Recurring Windows Flaw Could Expose User Credentials

A professional-grade tool set, appropriately dubbed "CloudScout," is infiltrating cloud apps like Microsoft Outlook and Google Drive, targeting sensitive info for exfiltration.

Source: Design Pics Inc. via Alamy Stock Photo

The China-sponsored Evasive Panda hacking crew has debuted CloudScout, a sleek, professional post-compromise toolset that retrieves data from various cloud services by leveraging stolen Web session cookies.

That's according to researchers at ESET, who uncovered CloudScout while investigating a pair of past breaches in Taiwan (targeting a religious institution and a government entity).

CloudScout is written in .NET, and it's designed to work seamlessly with MgBot, Evasive Panda’s proprietary malware framework. Via a plug-in architecture, MgBot feeds CloudScout previously stolen cookies, which it then uses to access and infiltrate data from the cloud, using the pass-the-cookie technique to hijack authenticated sessions from Web browsers.

ESET researchers observed individual CloudScout modules targeting Google Drive, Gmail, and Outlook, but in all, they believe Evasive Panda has developed modules for attacks on least 10 different cloud apps.  

"These modules are designed to access public cloud services … by hijacking authenticated Web sessions," according to ESET's analysis, released on Oct. 28. "This technique relies on stealing cookies from a Web browser database, then using them in a specific set of Web requests to gain access to cloud services," thus avoiding authentication checks like two-factor authentication (2FA) and IP tracking.

Related:Mobile Apps With Millions of Downloads Expose Cloud Credentials

After authentication, the CloudScout modules use a set of hardcoded Web requests, as well as complex HTML parsers to identify and extract any data of interest from Web responses, such as email folder listings and email messages. Once the data is collected, it's compressed into a .zip archive that can then be exfiltrated by either MgBot or another proprietary backdoor called Nightdoor.

**Chinese APT Hones Cyberespionage Arsenal**

Evasive Panda (aka Bronze Highland, Daggerfly, or StormBamboo) is an advanced persistent threat (APT) that's been operating since at least 2012, focused mainly on cyber espionage against civil society targets.

These include "independence movements such as those in the Tibetan diaspora, religious and academic institutions in Taiwan and in Hong Kong, and supporters of democracy in China," ESET researchers noted. "At times we have also observed its cyberespionage operations extend to countries such as Vietnam, Myanmar, and South Korea." It has also been seen targeting a handful of victims in Nigeria.

The Chinese APT is known for consistently evolving its cyberattack techniques, but the latest iteration is notable in its sophistication, the researchers wrote.

Related:SoftwareOne Launches Cloud Competency Centre in Malaysia

According to ESET, "The professional design behind the CloudScout framework … demonstrates Evasive Panda’s technical capabilities and the important roles that cloud-stored documents, user profiles, and email play in its espionage operations."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

China's 'Evasive Panda' APT Debuts High-End Cloud Hijacking

In the latest attack against ISPs, second-largest French provider Free fell victim to unknown cyberattackers who attempted to sell the compromised data it stole from the company on an underground cybercrime forum.

Source: Timon Schneider via Alamy Stock Photo

Free, a French telecommunications company and the second largest Internet service provider (ISP) in the country, has disclosed a cyberattack it fell a victim to over the weekend. It's the latest in a line of attacks against ISPs and telcos of late.

A threat actor stole information from the company's internal management tool, gathering data on the company's subscribers, and attempted to sell the data on the Dark Web in a cybercrime forum, the ISP confirmed to Agence France-Presse (AFP) on Oct. 26.

The hacker, known as "drussellx," posted a message on the forum, putting two databases stolen from the ISP company up for auction. The databases reportedly contained information on more than 19 million customer accounts, and more than 5 million international bank account details.

The bad actors gained "unauthorized access to some of the personal data associated with the accounts of certain subscribers," according to Free, which has more than 22 million mobile and fixed subscribers. However, it stressed that no passwords, bank-card information, emails, SMSs, or voicemails were compromised, and that its services were not been impacted.

Internet service provider networks are increasingly being targeted by bad actors in attacks to steal data and set up base for new tactics and techniques. Take advanced persistent threat (APT) Salt Typhoon, for example, which has been targeting these networks in the US, likely due to the information they can garner, such as home addresses, billing information, SMSs, and more.

Another APT group, known as Evasive Panda (aka StormBambaoo and DaggerFly), also targets ISPs, using them as a launchpad to exploit software vendor update mechanisms by using DNS poisoning.

Now, in the wake of its own ISP attack, Free reports that it soon will be informing impacted customers via email regarding the breach. It has also filed a criminal complaint and informed France's National Commission for Information Technology and Civil Liberties (CNIL) and the National Agency for the Security of Information Systems (ANSSI).

French ISP Confirms Cyberattack, Data Breach Affecting 19M

A collaboration with the FBI and law-enforcement agencies in Europe, the UK, and Australia, Operation Magnus has seized servers and source code related to the two malware families, which have stolen data from millions of victims worldwide.

Source: JVPhoto via Alamy Stock Photo

The FBI in collaboration with various international law-enforcement agencies has seized the servers and source code for the RedLine and Meta stealers as part of Operation Magnus, and US authorities have charged one of RedLine's developers with various crimes. The stealers are responsible for the theft of millions of unique credentials from international victims, authorities said.

The intelligence bureau and the US Department of Justice (DoJ) are among several international agencies — including Dutch National Police, Belgian Federal Police, Belgian Federal Prosecutor’s Office, UK National Crime Agency, Australian Federal Police, Portuguese Federal Police, and Eurojust — that on Oct. 28 disrupted the operation of the cybercriminal group behind the stealers, which authorities claim are "pretty much the same" malware in a video posted on the operation's website.

Investigations into RedLine and Meta started after authorities learned about the potential of servers in the Netherlands being linked to the malware, according to a press statement by the European Union Agency for Criminal Justice Cooperation. Investigators went on to discover that more than 1,200 servers in dozens of countries were running the stealers.

Authorities eventually collected victim log data stolen from computers infected with RedLine and Meta, identifying millions of unique usernames and passwords, as well as email addresses, bank accounts, cryptocurrency addresses, and credit card numbers that have been stolen by various malware operators. Moreover, the DoJ believes that there is still more stolen data to be recovered, it said in a press statement on Operation Magnus.

Law enforcement also seized source code for RedLine and Meta as well as REST-API servers, panels, stealers, and Telegram bots that were being used to distribute the stealers to cybercriminals. Both malwares are typically are sold via cybercrime forums and through Telegram channels that offer customer support and software updates.

**RedLine Developer Charged by the DoJ**

As part of the US operation, the DoJ has charged Maxim Rudometov, one of the developers and administrators of RedLine, with access device fraud, conspiracy to commit computer intrusion, and money laundering. If convicted, Rudometov faces a maximum penalty of 10 years in prison for access device fraud, five years in prison for conspiracy to commit computer intrusion, and 20 years in prison for money laundering.

The DoJ also unsealed a warrant issued in the Western District of Texas that authorized law enforcement to seize two domains used by RedLine and Meta for command and control (C2). Dutch police also took down three servers associated with the stealers in the Netherlands, and two more people associated with the criminal activity were taken into custody in Belgium.

Assistant US Attorney G. Karthik Srinivasan is prosecuting the case in the US, while the investigation in Texas is being conducted by the FBI Austin Cyber Task Force, which includes the Naval Criminal Investigative Service, IRS Criminal Investigation, Defense Criminal Investigative Service, and Army Criminal Investigation Division, among other agencies.

**Widespread Stealer Distribution**

RedLine Stealer is a malware-as-a-service (MaaS) platform sold via Telegram and online hacker forums that targets browsers to collect various data saved by the user, including credentials and payment card details. It can also take a system inventory to assess the attack surface for further attacks. 

To that end, RedLine also can perform other malicious functions, such as uploading and downloading files, and executing commands. Meta meanwhile is basically a clone of RedLine that performs similar functions and also operates through an MaaS model.

Because of their widespread availability, both stealers have been used by threat actors with various levels of sophistication. Advanced actors have distributed the stealers as an initial vector upon which to perform further nefarious activity, such as delivering ransomware, while unsophisticated actors have used one or the other of the stealers to get into the cybercriminal game to steal credentials. Those credentials are often sold to other cybercriminals on the Dark Web to continue the cycle of cybercrime.

One popular way cybercriminals have distributed the stealers is to hide them behind Facebook ads, including ones promoting AI chatbots like ChatGPT and Google Bard. Other attack vectors have used phishing to embed the stealers in malicious files or links attached to emails.

International authorities plan to continue their investigations into the criminals using data stolen by the infostealers. For people concerned they may have been criminalized by RedLine and/or Meta, ESET is offering an online tool to allow people to check to see if their data was stolen and what steps they should take if it has.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

FBI, Partners Disrupt RedLine, Meta Stealer Operations

Great CISOs are in short supply, so choose wisely. Here are five ways to make sure you've made the right pick.

Source: Borka Kiss via Alamy Stock Photo

COMMENTARY

The artificial intelligence (AI) investment cycle we are currently in will drive new levels of cybersecurity risk in pretty much every organization, making the cybersecurity chief a CEO's most important current hire. Great chief information security officers (CISOs) — who blend technical, strategic, board-level communication, and leadership skills — are in high demand and short supply, and with technology constantly changing, the cybersecurity skill set is changing, too.  

**Attracting the Best**

How do CEOs, their executive teams, and their HR partners attract the best of the market? Here are a few ways.  

1\. Level and structure the role appropriately: If security — of enterprise data, customer information, or data right in the product itself — is so critical to your organization that one mishap can have a major impact on your revenues, then give the role some teeth. Don't bury it under IT operations, where you will attract a technologist, not a leader. Either have the CISO report to the chief information officer (who, in turn, should be reporting to the CEO given the critically of technology to your business) or make the CISO a CIO peer. If your security risk is less life threatening, and your CIO has depth in security, you can consider moving them down a layer. Is the CISO responsible for enterprise security or product security or both? Will the CISO have a small matrixed organization or a larger dedicated team?  While the right CISO will help you answer some of the questions, the more thoughtful you’ve been about these questions ahead of time, the better.  

2\. Educate your board: Public company boards do not yet fully understand their role in cyber governance. They often equate security to technology and tools rather than emphasizing the human behavior side of cyber incidents. While the board does not need to know the latest tools, they should understand what truly lies behind cyber incidents and how they should govern. By showing that you've primed the pump, and your CIO has been bringing the board up to speed on the risks and return of digital technologies, you are demonstrating a tech-savvy board. The market’s best CISO will see a savvy board as a requirement.  

3\. Think about both defensive and offensive tactics: The best CISOs will balance the defensive and offensive postures of information security. They will see the cyber role as both facilitating the growth of the business and securing it from cyber-risk. Show these rare birds that your board, executive committee, and CIO understand that technology must be a strategic advantage, not an unfortunate cost. Do your discussions about IT focus on expense only, or are your IT investments clearly aligned to your business value streams? Does your CEO talk in company meetings about how important technology is to the growth of the company? The quality of the CISO you can attract depends on our view of the impact of technology on your business.  

4\. Build and demonstrate a change management capability: People resist change, particularly if they do not perceive value in the change. Getting a large organization to follow security protocols takes a tremendous amount of adoption effort and change management. The better your organization is at driving the right behaviors in your employee base, the stronger your security program. During your candidate interviews, extoll the virtues of your change management team and your executive committee's understanding that good security is about culture, behaviors, education, and change. In fact, "change management" is quickly becoming the most important skill set of any technology leader, CISOs included.  

5\. Involve the board in the interview process: Actions speak louder than words, and a few board interviews will demonstrate to your CISO finalist that you and the board take cybersecurity seriously. It will also allow the CISO to assess his or her dynamic with the board. The board-CISO relationship is only going to be become more important, so getting an early read on that relationship will help ensure that it will work.   

With every dime we spend on AI, we produce risk. With every new Internet of Things (IoT) product we sell, we open a cybersecurity door. With every day that passes, our cyber foes are getting smarter. CEOs and their teams have a powerful weapon to fight these forces: the ability to attract the right CISO. While most companies have a head of security, these professionals are not all created equal. Some are "tool jockeys" who love technology but not people; then there are the CISOs with great regulatory knowledge but lacking great influencing skills. When you identify the right blend of technical, communication, and leadership skills, by showing your candidates know that you are serious about cybersecurity, you can make the right hire.  

**About the Author**

CEO, Heller Search

Martha Heller is a widely followed thought leader on technology leadership talent, and CEO of Heller Search, a premier technology executive search firm. Over the course of her career, Martha has become an authoritative voice on technology leadership and executive search. She has recruited hundreds of chief information officers (CIOs), chief technology officers (CTOs), architects, and other senior technology positions, and become a trusted adviser to executives around the country.

How to Find the Right CISO

Sophos CEO Joe Levy says the $859 million deal to acquire SecureWorks from majority owner Dell Technologies will put the Taegis platform — with network detection and response, vulnerability detection and response, and identity threat detection and response capabilities — at the core.

Source: DigitalStorm via iStock Photo

Sophos is doubling down on managed detection and response (MDR) services. Last week's agreement to acquire SecureWorks in an $859 million all-cash deal is set to close in early 2025 pending customary approvals, accelerating Sophos' push into MDR and extended detection and response (XDR) with SecureWorks' popular Taegis platform at the core, the company said.

SecureWorks has only 4,000 customers to Sophos' 600,000, but the company offers advanced XDR capabilities built on a cloud-native data lake architecture to larger enterprises and delivered by service providers. Building on its managed XDR capabilities, SecureWorks this year added network detection and response (NDR), vulnerability detection and response (VDR), and, most recently, identity threat detection and response (ITDR) to the Taegis platform.

Dell Technologies, which owns nearly 80% of SecureWorks' publicly traded shares, has been exploring ways over the years to divest its control of the security provider. Dell joins the small club of large companies that have quit the operations business this year: IBM abruptly announced the sale of its QRadar SaaS portfolio to Palo Alto Networks, and AT&T spun out its managed security business, now known as LevelBlue.

Meanwhile, Sophos was looking to add an advanced XDR and MDR platform that it could integrate with its own Sophos Central security operations center. The central management tool provides endpoint, server and email protection, and access to other security services, including firewall, cloud, and encryption, among other point offerings.

Sophos, which also added its vendor-agnostic MDR service to its portfolio in late 2022, quickly saw demand for it from its customers, says Enterprise Strategy Group principal analyst Dave Gruber.

"Scaling operations to serve an audience of this size is challenging, making this acquisition a smart move for Sophos, as SecureWorks has many of the best and brightest security professionals in the industry," Gruber says.  

**Building an XDR Platform on Taegis**

Sophos CEO Joe Levy says he can't reveal specific integration plans while the deal, set to close in the first quarter of 2025, undergoes regulatory clearance processes. But he doesn't dispute that bringing Taegis and Sophos Central together is what is driving this deal, which would mark the largest since the company was founded in 1985.  

"We're aiming toward this world where we bring together the best hits of the two operations," Levy tells Dark Reading. "We will figure out that combination of the technology stack — Taegis inside Sophos Central and the security operations center itself."

That will include delivering the MDR business and the VDR, managed risk, and ITDR, he adds.

"\[It's\] the service component that customers are relying on to help to keep them secure," Levy says.

Besides determining a unified approach to provisioning services from SecureWorks and Sophos offerings, a key challenge will be enabling collaboration among the security operation teams within its MDR business, customers, and partners — notably MSPs and MSSPs that deliver the two companies' respective offerings, Levy explains.

"We want to produce the best possible workflows while demonstrating empathy and understanding of what the security operators are doing every single day," he says. "These are the driving principles that are going to be guiding the way that we undertake this."

**SecureWorks Shift to XDR Platform**

SecureWorks began developing Taegis in 2017 and launched it in early 2021. Taegis is built with a data lake architecture designed to ingest and normalize data and an analytics engine built to identify, prioritize, and block threats.

SecureWorks CEO Wendy Thomas told investors during the company's Q2 2025 quarterly earnings call in September that she sees continued growth potential for Taegis.

"We've increasingly seen customers more than ready to move away from noisy, hard, and expensive-to-maintain SIEMs \[security information and event management\] to an XDR approach to detection and response," she said. "That trend is only accelerating."

Analysts and customers have given Taegis high marks.

"The Taegis platform from SecureWorks has great detection and response capabilities," says IDC analyst Craig Robinson.

While SecureWorks' and Sophos' respective MDR services offer many similar features, Robinson notes that Sophos' offering has a more vendor-independent model than Taegis.

"While there's overlap, Sophos has more individual products while Taegis is a platform," he says.

Independent consultant William Klusovsky says he believes that adding SecureWorks is poised to deepen Sophos' reach into larger enterprises and offer richer services to small and midsize organizations. But he warns that Sophos could "fumble" that potential if it doesn't adequately invest in the integration of the products.

"If they are too short-sighted and focus only on financials and returns, they could end up with two businesses that don't work together and lose the talent they need to create the right business," Klusovsky says. "They need to have a vision, stick to it, and believe in it."

**Transition to Managed Security Services**

Sophos is owned by private equity firm Thoma Bravo, whose portfolio is mostly product companies, while both SecureWorks and Sophos have been shifting to services, Klusovsky notes.

"The services industry is very different," he says. "The good news is the product road maps and integrations should be something they can create efficiency with and drive in a positive direction. The unknown is going to be in managing service delivery, sales, the channel, and go-to-market as these motions are very different for a managed services provider than a product company."

Levy says he first started driving the shift from a product-only cybersecurity business to a hybrid product and services business in 2018, before Sophos agreed to be acquired by Thoma Bravo.

"We now think of it more in terms of life cycles of engagement with our customers, rather than just selling them a product or selling them a service," Levy says. "We're working in collaboration with this ecosystem of cybersecurity players to maintain life cycle engagements with customers, so just pray that the next point solution they buy is actually going to provide better security."

Similarly, SecureWorks has undergone several significant changes, having shifted from operating as a managed security services provider to a platform supplier. Instead, SecureWorks tapped its ecosystem of channel partners to offer the Taegis platform with their own managed security services.

IDC forecasts that demand for managed security services will grow to $44 billion in 2024, up from $39.5 billion in 2023. Demand is estimated to grow to $49.2 billion next year, IDC's Robinson says. Driving the growth are shrinking budgets and a dearth of skilled security operations talent.

"Everyone's looking at and making sure that for every dollar spent, it's being spent in the right way," he says. "And managed security services is not only a better way, but it's also, more often, a better outcome."

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Sophos-SecureWorks Deal Focuses on Building Advanced MDR, XDR Platform

Windows 11 machines remain open to downgrade attacks, where attackers can abuse the Windows Update process to revive a patched driver signature enforcement (DSE) bypass.

Source: willi Lumintang via Shutterstock

Fully patched Windows 11 systems are vulnerable to attacks that allow an adversary to install custom rootkits that can neutralize endpoint security mechanisms, hide malicious processes and network activity, maintain persistence and stealth on a compromised system, and more.

The assault involves a Windows OS downgrade attack technique that SafeBreach security researcher Alon Leviev demonstrated at Black Hat USA 2024 in August, and for which he developed an exploit tool called Windows Downdate. Leviev showed how an attacker, with admin-level access to a system, could tamper with the Windows Update process and revert fully patched Windows components, including dynamic link libraries, drivers, and the kernel, back to a previously vulnerable state.

**Windows OS Downgrade Attack**

As part of the demo, the researcher showed how the attack would work even in situations where an organization might have enabled virtualization-based security (VBS) to protect critical OS components. As part of the demo, Leviev downgraded VBS features like Secure Kernel and Credential Guard’s Isolated User Mode Process to expose privilege escalation vulnerabilities in them that Microsoft had previously already addressed.

"I was able to make a fully patched Windows machine susceptible to past vulnerabilities, turning fixed vulnerabilities unfixed and making the term 'fully patched' meaningless on any Windows machine in the world," Leviev wrote in August.

Since then, Microsoft has patched two vulnerabilities (CVE-2024-21302 and CVE-2024-38202) that Leviev reported to the company after discovering and exploiting them as part of his attack chain. However, Microsoft has so far not addressed the ability for an attacker with admin access to abuse the Windows Update process itself to downgrade critical OS components back to insecure states.

**Not a Security Vulnerability?**

The issue has to do with Microsoft refusing to consider the ability for an admin-level user to gain kernel code execution as crossing a security boundary. "Microsoft did fix every vulnerability that resulted from crossing a defined security boundary," Leviev tells Dark Reading. "Crossing from administrator to the kernel is not considered a security boundary, and hence it was not fixed."

To show why that remains a threat, Leviev on Oct. 26 released details of a new Windows downgrade attack he developed, where he used his Windows Downdate tool to revive a driver signature enforcement (DSE) bypass attack that Microsoft had mitigated with its patch for CVE-2024-21302. He showed how an attacker could abuse the issue to load unsigned kernel drivers and deploy bespoke rootkits.

"The 'ItsNotASecurityBoundary' DSE bypass belongs to a new class of flaws known as False File Immutability (FFI)" that researchers at Elastic Security reported earlier this year, Leviev wrote in his Oct. 26 post. "This class exploits incorrect assumptions about file immutability — specifically, that blocking write access sharing makes a file immutable."

Leviev says that all he had to do to execute the attack was to identify the specific OS module (CI.dll) to which Microsoft had applied the patch for CVE-2024-21302, and then use his Downdate tool to downgrade the module back to its unpatched version.  

"Downgrading only ci.dll to its unpatched version works well against a fully patched Windows 11 23h2 machine," Leviev wrote on Oct. 26. The researcher added he was able to exploit the issue even when VBS was enabled, with and without UEFI lock for securing the boot process and firmware configuration. "To fully mitigate the attack, VBS needs to be enabled with UEFI lock and the 'Mandatory' flag. Otherwise, it would be possible for an attacker to disable VBS, downgrade ci.dll, and successfully exploit the flaw," he noted.

In an emailed comment, Tim Peck, senior threat researcher at Securonix, described the Windows Downdate attacks as taking advantage of Windows not always validating the version numbers of its DLLs when loading them. This enables "attackers to trick the operating system (OS) into using outdated files that are more susceptible to exploitation," he explained. "If the attacker is able to downgrade Windows Defender, especially in regards to security updates, they would have free rein to execute malicious files or tactics that would normally have been caught."

**Microsoft Is Now Working on a Fix**

A Microsoft spokesman noted in an email that the company is "actively developing mitigations to protect against these risks," without specifying what measures it might be taking or when they would be available. The company is thoroughly investigating update development and compatibility development, he wrote.

"We are developing a security update that will revoke outdated, unpatched VBS system files to mitigate this threat," he wrote. "Due to the complexity of blocking such a large quantity of files, rigorous testing is required to avoid integration failures or regressions."

Microsoft will also continue to update information around CVE-2024-21302, he wrote, with additional mitigation or relevant risk reduction guidance as they become available.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Windows 'Downdate' Attack Reverts Patched PCs to a Vulnerable State

The nation leads in the number of capture-the-flag tournaments sponsored by government and industry — a strategy from which Western nations could learn.

Source: KB-photodesign via Shutterstock

Over the last decade, the Chinese government has established an efficient pipeline of capture-the-flag (CTF) tournaments both as a way to attract cyber-savvy citizens to cybersecurity, and as part of its cybersecurity curriculum and training regimen.

The efforts have paid off.

Today, the nation has more than 50 annual competitions used as part of the training of tens of thousands — and possibly, hundreds of thousands — of cybersecurity specialists, while creating stronger connections to government and industry, according to a research report published by the Atlantic Council on Oct. 18. Moreover, sector-specific contests — targeting mobile, autonomous vehicles, and smart cities, for example — help deepen the technical expertise of participants and address the specific needs of each industry.

Overall, the Chinese government has successfully marshaled the nation toward solving its cybersecurity shortages and the goal of becoming a cyber superpower, says Eugenio Benincasa, senior cyber defense researcher at the Center of Security Studies at ETH Zurich and a co-author of the report.

"China, like the West, has a scarcity of talents, and addressing that scarcity through a system that can help you to evaluate talent is definitely a better way of addressing the problem," he says. "If you look at the entire ecosystem, there are many ways in which hacking contests can bring better allocation of resources, both in the short and also in the long term."

In 2014, Chinese President Xi Jinping called for the country to become a "cyber great power," aiming to strengthen its technology industry, while at the same time, embarking on a domestic effort to restrict its reliance on foreign technology. Cybersecurity has become a key element of that effort: The Chinese government has successfully created a pipeline for training future cybersecurity specialists, restricted the dissemination of vulnerability information, and established its own cybersecurity providers. These include hacking firms and cyber-range operators — such as Beijing Integrity Tech and Cyber Peace — which act both as hosts for legitimate infrastructure and for some nation-state actors, such as Flax Typhoon.

**Critical Curriculum for Cybersecurity Studies**

Hacking contests are a key component of the nation's efforts. At least 129 unique cybersecurity events, including 54 annual contests, were identified by the report's authors, Benincasa and Dakota Cary, a strategic advisory consultant at Sentinel One.

China's Ministry of Education accounts for the most competitions — a total of 22 — identified by the researchers, compared with 14 associated with the Cyberspace Administration of China, and 13 sponsored by the Ministry of Public Security, according to the report. About two-thirds of universities considered hacking contests to be an important part of the curriculum for cybersecurity specialists, with more than three-quarters of students (77%) participating in at least one event by the end of their sophomore year.

Since the early 2010s, China's CTF competitions have taken off. Source: "Capture the (red) flag" report, Atlantic Council

Among other benefits, the competitions allow the Chinese government to gain important information on new strategies and techniques, as well as collecting exploit techniques used by participants, which the government mandated since 2018. Hacking contests can also attract younger participants, such as high schoolers, into the field of cybersecurity, and help professionals keep up their skills.

Compared to China's comprehensive approach, Western nations continue to fall short, Benincasa says.

"There are contests that are organized by the private companies or universities, but they do not go into the detail or scale that we see in China, nor they are part of university degrees," he says. "They do not count as part of the evaluation to your grades, and so that practical-skill, direct-confrontation component is absent compared to the Chinese ecosystem."

**China's Reversal of Cyber Fortunes**

The effort is a reversal of the situation before 2015, when Chinese CTF teams struggled in international contests and met with social condemnation domestically for profiting from vulnerability awards. China's CTF ecosystems — especially the intercollegiate competitions, which bring together hundreds of teams — are now the best in the world, according to the researchers. Major contests include the Information Security Ironman Triathlon, Qiang Wang Cup, Wangding Cup, and National University Cyber Security League.

The events all have government support, with the Ministry of Public Security, the People's Liberation Army, the Ministry of State Security, and the Ministry of Education all sponsoring at least one of the university-based events each.

Western governments could learn from the approach, Benincasa says. Currently, the US and Europe face a scarcity of cyber talent because of a lack of a pipeline for funneling technically minded students into cybersecurity roles.

"We are behind when it comes to, specifically, the hacking-contest ecosystem," he says. "We need to integrate CTF contests into academic curricula, so we can have a better, more direct correlation between hacking classes and the graduation of talent."

China was able to turnaround its cybersecurity picture, and the lesson is, focusing on practical experience through hacking contests and CTF tournaments — as well as creating deeper pipelines between universities, the government, and industry — could go a long way toward solving the problems.

"This was very much a bottom-up, organically driven process that at some point the state recognized and encouraged," he says. "They started seeing these successes abroad and recognizing — because of geopolitical events like Stuxnet and \[Edward\] Snowden — recognizing how important \[cybersecurity\] is and that contributed to the breaking of taboos and ... a big change in the culture."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Source

DARKReading